Jump to content
Tuts 4 You

A better way to dump .NET assembly packed by a native stub


wwh1004

Recommended Posts

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Edited by wwh1004 (see edit history)
  • Like 5
  • Thanks 1
Link to post
BlackHat

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

Link to post
  • 9 months later...
john fast

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

Link to post
Sangavi
2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

Link to post
  • 4 months later...
thanhthuanbui0610@gmail.co

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

Link to post
  • 2 weeks later...
tungtruong20xx
On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

Link to post
  • 2 weeks later...
huynhchicong91
On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

bạn unpack dc netprotect v1.0 ko ?

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...